[Webkit-unassigned] [Bug 205589] New: Handle statements in CatchClause incorrectly when stack overflow

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 25 00:37:59 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=205589

            Bug ID: 205589
           Summary: Handle statements in CatchClause incorrectly when
                    stack overflow
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sunlili at ict.ac.cn

What steps will reproduce the problem?
Executing following code:
```
var i = 0;
var j = 0;
function func(obj0) {
    {
        obj0.c = obj0.a;
        j++;
    }
}

function f() {
    try {
        f();
    } catch (e) {
        i++;
        func(Array(123456789)); // can not delete
    }
}
f();
print(i);
print(j);
```
What is the expected output?
`func(Array(123456789));` and `i++` execute same times.

What do you see instead?
When I delete `func(Array(123456789));` , the output of `i` is 1. So, the statements in catch-clause only execute once.
But when I keep the `func(Array(123456789));`, the output of `i` is more than 1, and different from value of `j`.

Please use labels and text to provide additional information.

This bug exists in all main stream js-engines, sm, d8, jsc, ch. I only analysis the cause in ch, but I think you can refer to it.

In ch, f() is jitted, when stack is full during recursion, jitted code of f() will bailout. In procedure of bailout, `i++` is executed correctly, but `func(Array(123456789));` will throw an exception because of stack is full again. This exception will be caught by upper jitted f() caller, and will trigger bailout again. Repeat previous process, `i++` is executed and `func(Array(123456789));` will throw an exception again unless there is enough stack space for its execution.
It results to the statements in catch clause execute different times. `i++` is executed several times but `func(Array(123456789));` only executed once.


ISec Lab
2019.12.25

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191225/4265041b/attachment.htm>

More information about the webkit-unassigned mailing list